CVE-2014-5182 Information

Description

Multiple SQL injection vulnerabilities in the yawpp plugin 1.2 for WordPress allow remote authenticated users with Contributor privileges to execute arbitrary SQL commands via vectors related to (1) admin_functions.php or (2) admin_update.php as demonstrated by the id parameter in the update action to wp-admin/admin.php.

Reference

http://codevigilant.com/disclosure/wp-plugin-yawpp-a1-injection http://wordpress.org/plugins/yawpp/changelog/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=83444540yawpp&old=82404240yawpp&sfp_email=&sfph_mail=file36